Why Your Web Site's Privacy Policy Matters More Than You Think

Posted by: Nick Leiber on August 12, 2009

This is a post by guest blogger Jonathan I. Ezor.

One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn’t a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. (You can see other such surveys, dating back to 1997, here.)

Unfortunately, while the number of businesses with Web sites has continued to expand, as has the sites’ sophistication, the level of disclosure of data practices has not significantly improved. True, most Web sites (especially business ones) have posted “privacy policies,” but too many simply copy language they’ve found on other Web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.

Keep in mind that a privacy policy is a disclosure document, whose purpose is to inform (and therefore protect) consumers. When it comes to consumer protection, the FTC and state attorneys general have jurisdiction, and even absent any other applicable laws about privacy (such as the Children’s Online Privacy Protection Act or COPPA, which will be discussed in an upcoming blog), the enforcers can and do sue and fine sites whose privacy policies are well-meaning but wrong. (The FTC publicizes its enforcement and its penalties, adding to the embarrassment for some major companies, including Microsoft.)

How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, “We will not share your information with any third party.” Very reassuring; almost certainly false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc.

Another problematic statement: “We collect your information through the form you complete on the site.” This may be true, but the siteowner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California’s Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies, can be found on this page.)

Given that copying another site’s language is a bad way to create a privacy policy, what’s the right approach? An attorney familiar with the laws and rules about data can guide you through the process of learning exactly how your organization collects data, how it uses the data and how it shares them with others, so the policy can be accurate as well as flexible enough for future uses. For the best results, this process should include IT, sales, marketing, and any other group within the company that touches the site’s information. (Don’t forget that data may also be collected through offline operations; if the information is shared between Web and offline in the company, the offline part needs to be included in the policy.)

There are also organizations like TRUSTe and P3PWiz that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data, or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.

Don’t forget that your privacy policy has to remain accurate over time. If your information practices change and they’re no longer what’s described in your policy, the policy should change. Be careful, though, that if you are making major changes in your data use, you don’t use information collected under the earlier policy without getting permission from those users. Amazon.com got into trouble with consumers and got the attention of the FTC in 2001 when it made a change in its policy; the FTC said that were Amazon to make a “material change,” it would actually have to get permission from each of its previous customers before using their information in the new ways, which would be a major and probably unsuccessful effort.

Beyond helping you craft an accurate and flexible privacy policy, having a complete picture of how your organization collects, uses and shares information has one other major benefit: it can show you how you’re underutilizing the data you already have. With that knowledge, you can find new ways of understanding, communicating, and serving your customers, while providing them with the comfort that comes with full disclosure.

Jonathan I. Ezor is the director of the Touro Law Center Institute for Business, Law and Technology, and an assistant professor of law and technology. He also serves as special counsel to The Lustigman Firm, a marketing and advertising law firm based in Manhattan. A technology attorney for more than 15 years, Ezor has represented advertising agencies, software developers, banks, retailers, and Internet service providers, and has been in-house counsel to an online retailer, an Internet-based document printing firm, and a multinational Web and software development company.

Reader Comments

Jim Brock

August 13, 2009 06:52 PM

Very helpful post for websites who want to run clean on the privacy front.

Don't forget, it isn't just about your website's own privacy policy, you also need to understand the privacy implications of allowing ad networks and research firms to gather user information on your site. A new free service from privacychoice gives you a custom profile to understand all of those policies based on an independent scan of your site. Check it out here:

FourPx

August 17, 2009 08:51 AM

Carolyn Hodge

August 17, 2009 06:41 PM

This is a very important issue for small businesses and entreprenuers. TNS conducted a survey of small business owners in March and found that 56% cut and paste or copy their privacy statement from another website. This is a legal and credibility no-no.

But who can blame the busy entreprenuer or internet CEO? Until now, when it comes to privacy statements there haven't been many choices for help other than CTRL-C or an attorney. As Mr. Ezor points out, TRUSTe now has an easy to use product that makes it easy and affordable for small businesses to create accurate trustworthy privacy statements.

Jonathan Ezor

August 17, 2009 08:46 PM

Just to clarify, while I appreciate Ms. Hodge's comment, I was not intending to endorse any particular solution, but rather to ensure that every Web site owner creates a policy that is accurate, understandable and flexible. {Jonathan Ezor}

Joseph Anderson

December 2, 2009 12:00 PM

Like everything else in the Internet world privacy must be regulated by a an arbitrary and agreed upon standard. Think of DNS spoofing. In order to stop man in the middle attacks and phishing companies like verisign popped up who were able to verify the validity of a web page. The next market segment seems to be privacy policies which are verified and certified by a third party.

Fat Loss 4 Idiots Diet Reviews

Post a comment

Name

Email

Comment

About

What's it like to run your own company today? Entrepreneurs face multiple hurdles new and old, from raising capital and managing employees to keeping up with technology and competing in a global marketplace. In this blog, the Small Business channel's John Tozzi and Nick Leiber discuss the news, trends, and ideas that matter to small business owners. Follow them on Twitter @newentrepreneur.